Botnet attacks are growing more ingenious and destructive, while researchers strive to catch up by creating better defenses. Carolyn Meinel describes some of the more promising efforts to combat these threats.

Like this article? We recommend

When Bill Mills of Truth or Consequences, NM put up a website for his ranch, he posted his phone number so people could call about his donkeys for sale. However, his new callers “mostly wanted to give me something for free,” he says. “Then they always said they needed the first four numbers on one of my credit card” to prove his identity. These numbers identify the type of credit card. “Then they asked for more numbers. I kinda went along with one of them, then told him to eat **** and bark at the moon. I don’t know what’s wrong with these people.”

What's wrong is that phone spammers are taking advantage of Voice over Internet Protocol (VoIP) to make international calls at almost no cost, even when connecting with users of traditional public switched telephone networks.

It's going to get worse. According to a recent article in the IEEE Communications magazine, “Spam over IP telephony (SPIT) is expected to become a serious problem in the near future.... Taking into account...botnets, spamming in parallel from huge numbers of these machines, the cost of IP-based SPIT can decrease even more...”

Another new use of botnets appeared on September 6, 2008, when the price of United Airlines stock fell by 75 percent in just minutes. The culprit turned out to be a botnet attack that targeted an undated story about the airline's 2002 bankruptcy filing archived on the Florida Sun Sentinel website, making it appear that thousands of people were clicking on it. This storm of clicks automatically triggered a link on Google News. Lacking a date stamp, Google automatically gave it the current date. In turn, Bloomberg, a news service that caters to investors, grabbed the seemingly breaking news and panic ensued.

Clearly, botnet attacks are growing more ingenious and destructive. Consequently, researchers are seeking ways to combat them without having to rely on outmoded techniques such as signatures or any other a priori knowledge of attack technologies. They seek to detect infected devices, determine the objectives of each botnet attack, illuminate their C&C (command and control) structures and, ideally, trace back to the owner. And—they seek to do all this without accidentally shutting down legitimate network traffic or disabling essential devices such as laptops belonging to top managers.

Examples of these research projects follow.

Botnet Detection in the Core

In the previous examples, the entire schemes took place outside the victim's systems. It is hopeless to expect the owners of devices infected by this sort of botnet to solve the problem. The reason is that they do no obvious harm to infected devices, yet detecting and removing them is expensive. Why should sysadmins go to all that effort to solve someone else's problem?

Hence the botnet problem is a classic tragedy of the commons. A commons is a resource shared by everyone—for example, a meadow where anyone is free to turn out stock to graze and nobody has the power to prevent overexploitation.

She noted that operating sensors on edge routers (which manage traffic between autonomous systems and the backbones would be easier from the technical standpoint. However, she argued that if the technical challenges can be overcome, core sensors should, on average, detect attacks faster. Additionally, this tactic would require fewer sensors, and thus might cost less.

A core sensor, she said, should be able to measure:

Volume

Rates of growth by IP address

Port statistics

Sources to destinations

Back scatter traffic (e.g., bad email addresses and TCP resets)

However, Wang noted that attack detection in the core poses technical challenges:

The throughput in the core is too high for today’s intrusion detection sensors.